Topic: you think Trezor is a safe way for bitcoin ! (Read 5973 times)

The recent incidents are quite worrying. I never thought that coins could be stolen from hardware wallets such as Trezor and Ledger. I was only concerned about losing the recovery sheet and backup. In case if Trezor is also vulnerable to theft, then what is the point in spending $200 on each device? We can rather store our coins in Blockchain.info.

Hardware wallet is only a higher safety factor wallet only, as long as the master of the private key, with any support for importing the private key can easily grasp your wallet.

Anyone know if this hack is still working on Trezor?

https://medium.com/@Zero404Cool/trezor-security-glitches-reveal-your-private-keys-761eeab03ff8

Trezor doesn't sound too safe to me if such a simple hack will reveal all passwords and private keys!!

50 - 150 btc , what do you think ?

if I had one, 30% Trezor for spending, rest separated on multisig paper wallets printed in 2 copies, encrypted, and saved in 2 different physical places, never backed up online.

That if I actually had some good amount of BTC, I still didn't reach the point where I am paranoid about keeping them, and I guess I will never reach it since I spend too much.

How many bitcoins would you store on a Trezor?

Or what % of your stash would you store on a Trezor?

Trezor will work even manufacturer company will not exist.  Samsung also do not make laptops currently, but their laptops are in daily use 

Nicely said, once you use a paper wallet dump it, because you will sign it and that signature can lead to bruteforce in case of low entropy.

Everything is possible. Thats why the more Bitcoins you have, the less people you want between you and them, hence the paper wallet is the best solution.

Technically Trezor is safe, with the huge number of possible addresses, it signs the transactions almost offline and than pass to the computer, on it's internal open source chip and software, you can modify the software to fit your needs, you can even build your own with raspberry pie, but it wont take long until someone figure out away to sniff it out through the USB port with a malware, so never trust anything no matter how impossible it seems, I heard it's isolated inside so private keys are in a different unreachable part, but still to trust them or not that's your personal choice, the entropy is a different story, how you generated your keys is very important, weak ECDSA can result in weak signing of hashes, if only two transactions are signed with same output "first half of the signature is the same" than all you need is to figure out the rest of the key which can be easily brute forced given that the public key is already known as the output, so using Trezor with a key generated from the word hello world of course can be hacked.

http://conference.hitb.org/hitbsecconf2014kul/materials/D1T1%20-%20Filippo%20Valsorda%20-%20Exploiting%20ECDSA%20Failures%20in%20the%20Bitcoin%20Blockchain.pdf

So don't have fake feeling of security using Trezor if your key is being exploited online, once you send few transactions you are exposed, blockchain might have the necessary info to sweep your wallet even if your Trezor is offline at your wallet.

I think it safe,depending how secure your password and how often you check you wallet

OK, seeing that I'm still not sleepy enough yet...


Yes, that's correct. Nothing is infallible, not even a steel card that holds my current seed, not even Fort Knox. Always keep multiple secure paper/metal/etching/ backups, and check on them often. ALWAYS. I used to even keep the Armory seed for my escrow wallet with my lawyer, with instructions to distribute them accordingly should anything happen to me and my next of kin.

Quote

if trezor website ceases.. the HARDWARE WALLET is useless... which is the point.. the device is not infallible..

I'm not going to repeat myself, but trezor is not dependent on the website or anything proprietary. Already I've been using the trezor with other open source software out there. I've not really used the site except to try it out. Please read my former posts. *facepalm*

Quote

2. ignoring the paper seed as the backup.. lets keep on the subject of the HARDWARE WALLET and its function..

Awesome - we have another agreement here.

Quote

a) i can create a website that say's
"sorry there seems to be an error, please type in your seed"

If anyone falls for that, it would be the equivalent of someone making a site that says 'Secure Bitcoin Storage with 10000% Interest rate - Send to this address!' and someone actually falling for it. There are multiple warnings that state that your seed is basically your bitcoins, and should you leak it it's your own fault for doing that.

Quote

b) i could create a browser extension that says
"invalid device installed. please reset device and then type in your seed"

See a) for the equivalent - would you download anything that's closed source and new? Any reputable software that works with bitcoin is open source - anything that's closed should be taken with a grain of salt and be avoided in secure environments. Also, in an actual situation where someone uses a hijacked system, and is gullible enough to trust the software to type in his seed (and the software succeeds in resetting the trezor), the trezor actually requests the seeds at a randomized order, and all 24 seeds have to be in a specific order to actually compute the private keys needed. The order is only shown on the trezor, and the software would have no idea of the order of the key requested. Unless I'm much wrong (it's 4am and I just had my nightcap after all) , there's exactly 24 permutate 24 possible combinations here, which gives me 620448401733239439360000 probabilities using a random webpage calculator. That's no small number to bruteforce and to check for the coins, right.  

Quote

c) even if the data is encrypted.. i can clone said data, and then on my own computer with my own cloned trezor. can simply try the pin number 9999 times until im then using your 'account'.

How would you propose 'cloning said data'? The bootloader fuse is blown, and therefore the security logic part of the firmware is rendered unflashable. If said attacker tries to load a malicious firmware on it in order to clone the seed, there would be an invalid signature shown, and the seed is removed if the user decides to load it anyway.
one particular source: http://bitcoin.stackexchange.com/questions/32544/how-can-trezor-update-firmware-but-never-receive-malware

Quote

the funny thing is that trezor is safer than storing on coinbase, safer than storing on electrum.. but its not infallible. and anyone who thinks it's the 100% solution needs to take a step back and give honest advice that its not perfect..

Yep, I still agree with you that it's infallible - but similar hardware wallets like this is the best bet of a hot/semi hot wallet at the moment. And no, there's no 100% solution as of now. Nothing is perfect and nothing is 100%.

Quote

he other part i laugh about.. is when people see the paper seed backup as a feature specific to trezor.. seriously..
for long term storage where you are not spending.. paper is best.. as then you wont get phished.. and paper doesnt need a battery

Agreed. Just make sure you have adequate security practices (new airgapped pristine operating system installed, fully random RNG's using casino dices etc) and you're willing to go through all of this if you're planning use your cold wallet often.

It is not, where are you getting that information. The PIN is stored on the device itself. It would be stupid to store it on Trezor's servers. Again, why do you keep saying that it won't work? Trezor keeps the important data on the device itself, not someone else's servers.

1. is trazor ceases.. yea you can recover coins.. but not because of any function of the plastic gadget. not because of code stored on the gadget.. but because of writing on paper..
again if trezor website ceases.. the HARDWARE WALLET is useless... which is the point.. the device is not infallible..

2. ignoring the paper seed as the backup.. lets keep on the subject of the HARDWARE WALLET and its function.. firstly i see 3 weaknesses.
a) i can create a website that say's
"sorry there seems to be an error, please type in your seed"
b) i could create a browser extension that says
"invalid device installed. please reset device and then type in your seed"
c) even if the data is encrypted.. i can clone said data, and then on my own computer with my own cloned trezor. can simply try the pin number 9999 times until im then using your 'account'.

the funny thing is that trezor is safer than storing on coinbase, safer than storing on electrum.. but its not infallible. and anyone who thinks it's the 100% solution needs to take a step back and give honest advice that its not perfect..

the other part i laugh about.. is when people see the paper seed backup as a feature specific to trezor.. seriously..
for long term storage where you are not spending.. paper is best.. as then you wont get phished.. and paper doesnt need a battery

Many wallets allow you to generate paper wallets locally. Also, most websites which let you generate paper wallets are open source. The idea is that you download the code for the website. Then you take that code and go to an offline computer and generate the address there. That way there is no way that the owners of the website could ever know the private keys and the private keys are never exposed to the internet.

about paper wallet ! do you think that the website you use for generating the wallets can't get your money ? for exemple : if you use a website that generate wallets papper then i got the privat key and public key and put 40 btc on it , i think there is someway for the website who offer the generator to get your privat key , maybe if they save the keys which generated and later the owner of site will check the wallets which generated and see if there is money on them then he will use the privat key and get ur money since he have the privat key and public key becasue you used his website for generrating , correct me if am wrong !

Paper wallets are OK just inconvenient. Forget 50 bitcoin minimum, you need cold storage if you own any bitcoin in my opinion. It is too easy for malware to steal bitcoin from a password protected local bitcoin wallet. It happens all the time.

Cold storage means you have sole possession of the private keys of your bitcoin addresses and the keys are always kept safe offline. You can do it with Armory or Electrum using two computers or just buy a hardware wallet like Trezor or Ledger. I have used all of the current options. Armory and Electrum are no more secure than Trezor or Ledger. The only advantage is privacy, since Armory uses a full node.

Anyone can afford Ledger. Trezor is more expensive at $100 but I think it is worth it for the screen. You also have to use a Ledger Starter to initialize your Ledger as the seed is shown on your computer screen, possibly can be stolen by a keylogger. Trezor does not have that limitation.

what is the best way then for 50 btc + , most of people saying paper wallet some saying no ...

No. I don't think that it is safe to put your Bitcoin into any company. Believe in yourself and make the Bitcoin yourself. Those big companies can always go bankrupt at any time or just decide to shut down their company and run away with your coins.

A wallet that uses audio to send the private key.

http://thesoundkey.com/
https://www.indiegogo.com/projects/the-sound-key-encrypt-digitally-sign-in-safety#/